A survey detailing business and charity action on cyber security and the costs and impacts of cyber breaches and attacks.

Highlighting the continued pressure that businesses are under from cyber-attacks as well as what they are – or are not – doing to defend themselves against threats.

Qualifi Awarding Organisation (Ofqual regulated) has in collaboration with The Global Cyber Academy developed qualifications including Level 2, 3 and 4 and the soon to be available Level 5. The qualifications are fundable for eligible candidates via the Education and Skills Funding Agency at Levels 2 and 3, Adult Education Budget at levels 2 and 3 or through Advanced Learner Loans at levels 3, 4 and 5. For further information regarding funding and access / approval of delivery please contact ray@qualifi.net

Extracts below:

“Awareness raising and engagement among wider staff is also important. As in 2017, the most disruptive breaches are most commonly spotted by individual staff members rather than picked up automatically by anti-malware programmes. Organisations in the qualitative survey also noted the importance of regular and targeted training for all staff. However, in reality staff training remains rare; just two in ten businesses (20%) and even fewer charities (15%) have had staff undertake any form of cyber security training in the past year. Furthermore, businesses in this latest survey are less likely to have responded to breaches with additional staff training than in 2017”.

Key findings include:

Training has not increased, with only a fifth (20%) of businesses having had staff attend any form of cyber security training in the last 12 months, with non-specialist staff being particularly unlikely to have attended.

43% of UK businesses reported breaches or attacks in the last 12 months (compared to 46% last year), but large businesses are under siege with 72% affected

Fewer 27% of UK businesses have a formal cyber security policy in place this year (compared to 33% last year)

The average (mean) cost of breaches with such outcomes is £3,100 (almost double from last year), large businesses lose an average of £22,300

The most common forms of attack affecting UK businesses were Fraudulent emails (75%), hackers impersonating an organisation online (28%), Viruses, spyware or malware (24%) – on a special mention, ransomware dropped to from 17% to 15% this year

It is worth noting that the proportion of businesses saying cyber security is a low priority has fallen since 2016 (from 30%, to 24% in this survey), indicating that it is now on the agenda for more businesses. More specifically, in this latest survey, more small businesses say it is a very high priority than in the 2017 survey (up from 33% to 42%).

Just over a third (35%) of businesses have staff whose job role includes information security or governance.Compared to businesses overall, a similar proportion of charities (38%) employ specialist staff.

Staff training

A fifth (20%) of businesses have had staff attend internal or external training on cyber security in the last 12 months, which is similar to previous years. The overall figure comprises 12 per cent of businesses providing internal training, seven per cent offering external training and 10 per cent where staff attended seminars or conferences. This is lower for charities (15%). Specifically, nine per cent of charities provide internal training, seven per cent external training, and eight per cent had staff attend seminars or conferences.

It is worth noting that businesses that report cyber skills gaps are less likely than average to have sent staff on cyber security training (12% of businesses that report skills gaps have done so, versus 20% overall). A similar difference exists among charities, albeit with smaller sample sizes. This suggests that organisations that have identified a problem with skills gaps have not necessarily taken steps to address it through offering training.

Organisations are most likely to send directors or senior management staff on cyber security training, and this is more common among businesses than charities, as Figure 4.9 indicates. Across businesses, this proportion is lower among medium businesses (63%, versus 76% for the average business) and large businesses (59%). Among businesses, the figure for directors or senior management is similar to 2017, although a lower proportion of businesses offer training specifically to IT staff than in the 2017 survey.

It is considerably rarer for non-specialist and non-senior staff to attend this kind of training, both in businesses and charities. In addition, just seven per cent of charities offered such training to any volunteers. This contrasts with findings from the qualitative survey, which highlighted that many organisations wanted all their staff to be vigilant of cyber security threats.

Barriers to training

The qualitative survey also raised several barriers to training, including cost, format, regularity and not seeing the need for training:

There was a sense that induction training, irregular training, or training that was not mandatory could be easily forgotten. There were various examples of good practice to combat this. One smaller organisation arranged individual sessions with every staff member. One had moved towards more targeted training, making staff go on training courses only after they had failed an internal penetration test with a fake phishing email. Another organisation required all their staff to complete an annual online module on cyber security, and non-completion meant that they would not be eligible for their yearly bonus.

Cost and logistics meant that face-to-face training sessions were difficult, and some wanted or had already adopted more video training sessions or webinars. This matches similar findings from the 2017 qualitative research with charities.

Ray Brogden COO of Qualifi would like to point out that through the work of Qualifi and the Global Cyber Academy, Regulated Qualification Framework qualifications that are affordable, fundable (subject to eligibility), accessible via online blended approaches and flexible in order to respond to employer and candidate needs are available now. For further information contact Ray Brogden ray@qualifi.net